Re: [opensuse] 12.1 LDAP nscd Samba problems

Am Mittwoch 23 November 2011, 18:14:44 schrieb lynn:
On 23/11/11 17:44, Ralf Haferkamp wrote:

Hm, this sound like a missing
bind_policy soft

in /etc/ldap.conf. Can you check that? If that is missing and you
setup LDAP client using YaST, please open a Bugreport.

Yes I have:
bind_policy soft
in /etc/ldap.conf

But to make tls work I had to change /etc/openldap/ldap.conf:

TLS_CACERT /etc/openldap/cacert.pem

Does that make any difference?
Hm, normally YaST adds those line. I have no idea why it didn't work in
your case.

bugzilla as to why, here:

Is there any reason you are using nss_ldap instead of sssd, btw?
No reason. I've done this as a newbie because I had to make a single
sign on setup for our LAN when win 7 boxes were connected. Otherwise it
would have cost us a small fortune for the local computer consultancy
to do it for us. I've done most of this via Yast. I made the
certificates for tls support by hand because the 12.1 Yast CA
management module is broken:

Other than this I have no idea what the difference is between nss_ldap
and sssd. You seem to suggest that sssd is better.
It's better insofar that it is acutally maintained. nss_ldap didn't get a
lot attention upstream lately. Additionally it adds some nice feature
like offline caching and integrated kerberos support. It also addresses
some linker issue we had with nss_ldap which caused problems with
thunderbird and openoffice in the past. (Especially if nscd was

If so, is it easy to change?
It's possible through YaST ldap-client. Should work by just clicking the
"Use sssd" checkbox. If you didn't have nss_ldap installed before
starting the YaST ldap-client module sssd should actually be the default


To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx